Where Did Hacking Team Buy Its Hacks? Three Accused Brokers Deny Wrongdoing

Hacking Team, the controversial Italy-based surveillance company that was recently hacked, couldn't have provided its services to customers all over the world without a bit of help. Leaked documents show that the company sourced some of its exploits, code that allows Hacking Team to break into computers, from several other individuals and brokers.

A few of those have been getting some serious flak from members of the security community for selling products to Hacking Team. But three of them who spoke to Motherboard deny any wrongdoing.

"We can't really control or be responsible for or in charge of what people do with exploits," Adriel Desautels from security company Netragard, one of the exploit brokers who dealt with Hacking Team, told Motherboard in a phone interview.

On Friday, Christopher Soghoian, a principle technologist at ACLU, tweeted that two computer exploit brokers based in the US "sold to Hacking Team in 2014, long after reports revealed [Hacking Team] sold to human rights abusers."

Desautels sold one item to CICOM, the US subsidiary of Hacking Team, he told Motherboard. "We vetted CICOM USA, we didn't fully vet Hacking Team, which we should have," Desautels said.

Desautels said that, at the time, he had no idea that Hacking Team had been accused of human rights violations. When pressed, he conceded that, "I heard news about Hacking Team being questionable and so on, but it was the same kind of fodder, or FUD, that we hear all the time about zero-days." FUD ("Fear, Uncertainty and Doubt") is a term used to describe the spread of dubious negative information.

Desautels said that when he dealt with CICOM, he didn't think the company was one and the same as Hacking Team—despite Hacking Team approaching him originally—and that CICOM's customers were "friendly country law enforcement."

In a more recent email from March of this year, Desautels writes to Hacking Team, this time directly after his company changed its "internal customer policies" and says that, "We do understand who your customers are both afar and in the US and are comfortable working with you directly."

The other exploit broker mentioned by Soghoian was Dustin Trammell, who goes by the screen name |)ruid. He denies selling any exploits to Hacking Team; talk of an exploit is evident in leaked emails between Trammell and the company but it's unclear if there was a sale.

"We have not sold anything to Hacking Team and only sell to domestic US entities," he told Motherboard in an email.

When asked who he thought Hacking Team's customers were, Trammell said, "Who Hacking Team's customers are do not concern us as we have not sold them anything nor have had any intention to sell them anything."

Finally, Vitaliy Toropov, an independent researcher who sold a number of exploits to Hacking Team, said he had no moral problem doing business with the company.

"I thought HT [Hacking Team] sells to the US and EU gov structures mostly, LEAs [Law Enforcement Agencies] etc," he told Motherboard in an email. "I was sure that HT activity is restricted and monitored by their local government and EU laws, and if it's not used against 'normal' users there can't be any moral issues."

It's important to remember that the trade of computer exploits is a legitimate business: developers and researchers have to invoice just like everyone else, and stay within trade regulations. The problem here is that these vendors may have been somehow involved with a company that sold surveillance software to some of the most brutal regimes on the planet.

Whether those who dealt with Hacking Team are at all responsible for how their exploits were used is an open question. But as the leaks continue to be scrutinised, people with more links to the company are sure to be discovered.